Dutch Spam Fight Boils Over Into Largest-Ever DDoS Attack

A Dutch hosting company has spent the last week slamming the servers of an anti-spam rival's website with useless data requests, and that has set the stage for the mother of all denial of service attacks -- one that has reportedly affected parts of the global Internet with slower speeds. The episode is throwing a spotlight on a potential Web vulnerability, one where a local fight can result in a lot of collateral damage.

By Richard Adhikari
Mar 27, 2013 3:40 PM PT

A week-old squabble between two Dutch groups -- the spamfighting Spamhaus Project and Web hosting service Cyberbunker -- has resulted in what has been called the largest distributed denial of service attack in Web history. The cyberfight reportedly has spilled over onto the global Internet and slowed down some data communications, especially in Europe.

The attacks were launched by Cyberbunker, which says it will host anything except child pornography and terrorism-related content. The company has reportedly hosted spam sites as well as the site for the Russian Business Network gang of cybercriminals.

"Cyberbunker is essentially saying, 'Okay, Spamhaus, who made you God of the Internet?' and they're sending all these attacks to DNS servers spoofing that they're coming from Spamhaus' local DNS server," Marty Meyer, CEO of
Corero Networks, told TechNewsWorld. "They're doing a very good job of taking down Spamhaus' server, but this is clogging up the works of the more generic Internet."

Law enforcement agencies from five countries have reportedly been investigating this battle.

Spamhaus did not respond to our request to comment for this story.

The web services company Akamai, which tracks global Internet activity in real-time, showed above-average attack activity in the UK and the Netherlands as of Wednesday afternoon Pacific Time.

The Nature of the Attacks

The attacks sent requests for responses to domain name system (DNS) servers; those requests were disguised to look like they were coming from Spamhaus' local DNS server, Meyer said. The other servers send their responses to Spamhaus. However, "instead of the normal DNS request looking for an URL, the requests are asking for all the information available in response to their request."

Part of the problem is that Spamhaus, which has offices in Switzerland and the UK, has built one of the world's largest infrastructures. It maintains a network of more than 70 public DNS servers around the world for its real-time spam-blocking databases. An attack on its servers can rapidly ripple out worldwide.

The attack on Spamhaus is causing traffic peaks of 300 Gbps, which "is 4-5 times higher than what we've seen in DDOS attacks on banks recently," Meyer said. "The reason is the nature of the attack -- this is a reflective DNS attack, so it amplifies itself and ripples out to the more central DNS servers, as opposed to having a central botnet pull it off, which is what you're seeing in the attacks on banks."

Internet-centered companies such as Yahoo, Netflix and LinkedIn would be affected by such an attack.

"We don't believe we've seen any impact to our site as a result of the attacks that are reported to be occurring,"
LinkedIn spokesperson Hani Durzy told TechNewsWorld.

Despite the reported widespread nature of the attacks, Internet communications on the whole appear relatively unaffected. Searches on Google and Yahoo conducted at press time show these sites don't appear to have slowed down, and email services also appear to be normal.

Netflix did not respond to our request to comment for this story

Spamhaus a Previous Target

Spamhaus blogged about the DDoS attack on March 20, detailing how it asked security company CloudFlare to help mitigate the assault. CloudFlare then blogged about its efforts to assist Spamhaus.

CloudFlare's blogpost raised the ire of the STOPhaus Project, which describes Spamhaus as a cybercrime organization that is trying to control the Internet through extortion. STOPhaus claims to have members from various countries working to battle Spamhaus.

In 2003, spammers released a virus targeting Spamhaus.

Protecting Against DDOS Attacks

Companies need protection in front of their local DNS networks or from providers like VeriSign, Meyer said. They also need to check requests to make sure they're trusted, meaning they verify the source of the request, examine its size and the response.

"There are technologies that look at the size of the request and the response, and there are ways to protect against this kind of attack, but, like you see with banks and other institutions which were hit by network layer floods, people haven't taken the steps to protect themselves like they should," he said. "It's another weak spot in the foundation of the Internet."